US10564997B2 - Computing system for securely executing a secure application in a rich execution environment - Google Patents

Computing system for securely executing a secure application in a rich execution environment Download PDF

Info

Publication number
US10564997B2
US10564997B2 US15/683,889 US201715683889A US10564997B2 US 10564997 B2 US10564997 B2 US 10564997B2 US 201715683889 A US201715683889 A US 201715683889A US 10564997 B2 US10564997 B2 US 10564997B2
Authority
US
United States
Prior art keywords
virtual machine
machine group
privilege
normal
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/683,889
Other languages
English (en)
Other versions
US20180129525A1 (en
Inventor
Sung-min Hong
Woo-Hyung Chun
Young-Seok Kim
Sung-Jae Lee
Eun-Ok Jo
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Assigned to SAMSUNG ELECTRONICS CO., LTD. reassignment SAMSUNG ELECTRONICS CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHUN, WOO-HYUNG, JO, EUN-OK, LEE, SUNG-JAE, HONG, SUNG-MIN, KIM, YOUNG-SEOK
Publication of US20180129525A1 publication Critical patent/US20180129525A1/en
Application granted granted Critical
Publication of US10564997B2 publication Critical patent/US10564997B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • G06F12/1009Address translation using page tables, e.g. page table structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/14Handling requests for interconnection or transfer
    • G06F13/16Handling requests for interconnection or transfer for access to memory bus
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/485Task life-cycle, e.g. stopping, restarting, resuming execution
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/4881Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5077Logical partitioning of resources; Management or configuration of virtualized resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45579I/O management, e.g. providing access to device drivers or storage
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45583Memory management, e.g. access or allocation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/15Use in a specific computing environment
    • G06F2212/152Virtualized environment, e.g. logically partitioned system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Definitions

  • Example embodiments of the present inventive concepts relate to computing systems, and more particularly to computing systems for securely executing secure applications in rich execution environments.
  • TEE trusted execution environment
  • REE rich execution environment
  • ARM TrustZone ARM TrustZone
  • Some example embodiments provide a computing system that securely executes a secure application in a rich execution environment.
  • a computing system includes a processor.
  • the processor operates a plurality of virtual machines in which a plurality of operating systems are respectively executed.
  • the processor executes a hypervisor that groups the plurality of virtual machines into a normal virtual machine group and a privilege virtual machine group, and that controls hardware accesses requested by the normal virtual machine group and the privilege virtual machine group.
  • the processor executes a normal application in the normal virtual machine group, and executes a secure application in the privilege virtual machine group.
  • a computing system includes a processor.
  • the processor operates a plurality of virtual machines in which a plurality of operating systems are respectively executed.
  • the processor executes a hypervisor that controls hardware accesses requested by the plurality of virtual machines.
  • the processor executes a normal application in a first one of the plurality of virtual machines, and executes a secure application in a second one of the plurality of virtual machines.
  • a computing system includes a processor, and provides a rice execution environment (REE) and a trusted execution environment (TEE).
  • the processor operates a plurality of virtual machines in which a plurality of rich operating systems are respectively executed in the REE, and executes a secure operating system in the TEE.
  • the processor executes, in the REE, a hypervisor that groups the plurality of virtual machines into a normal virtual machine group and a privilege virtual machine group, and that controls hardware accesses requested by the normal virtual machine group and the privilege virtual machine group.
  • the processor executes a first secure application in the TEE, executes a normal application in the normal virtual machine group of the REE, and executes a second secure application in the privilege virtual machine group of the REE, wherein the second secure application requires a data throughput greater than a data throughput required by the first secure application in the TEE.
  • the computing system may execute the normal application in the normal virtual machine group, may execute the secure application in the privilege virtual machine group, and may block an access request from the normal virtual machine group for at least one hardware resource allocated to the privilege virtual machine group, thereby securely executing the secure application in the REE.
  • the computing system may use intermediate physical addresses of the virtual machine groups as physical addresses of a memory device without an address translation, thereby reducing a virtualization overhead.
  • a system comprises: a memory device including a plurality of physical pages; a processor, wherein the processor is configured: to operate a plurality of virtual machines in which a plurality of operating systems are respectively executed; to execute a hypervisor that controls hardware accesses requested by the plurality of virtual machines; to execute a normal application in a first one of the plurality of virtual machines; and to execute a secure application in a second one of the plurality of virtual machines; one or more master devices; and one or more hardware firewalls arranged between the one or more master devices and the memory device, wherein the processor and the one or more master devices are each configured to access data in the memory device.
  • FIG. 1 is a block diagram for describing a software architecture of a computing system according to example embodiments.
  • FIG. 2 is a block diagram for describing a hardware architecture of a computing system according to example embodiments.
  • FIG. 3 is a diagram for describing an example of a memory address translation in a computing system according to example embodiments.
  • FIG. 4 is a block diagram illustrating a hardware firewall included in a computing system according to example embodiments.
  • FIG. 5A and FIG. 5B are diagrams for describing example of time points at which a normal virtual machine group and a privilege virtual machine group are generated.
  • FIG. 6A is a diagram illustrating an example of a normal access rule table included in a hardware firewall of FIG. 4
  • FIG. 6B is a diagram illustrating an example of a privilege access rule table included in a hardware firewall of FIG. 4
  • FIG. 6C is a diagram illustrating a memory device accessed by a normal virtual machine group and a privilege virtual machine group according to the examples of the access rule tables in FIGS. 6A and 6B .
  • FIG. 7 is a block diagram illustrating a portion of a computing system according to example embodiments.
  • FIG. 8 is a block diagram illustrating a hardware privilege generator included in a computing system according to example embodiments.
  • FIG. 9 is a diagram illustrating an example of a context table included in a hardware privilege generator of FIG. 8 .
  • FIG. 10 is a block diagram illustrating a portion of a computing system according to example embodiments.
  • FIG. 11 is a block diagram for describing a software architecture of a computing system according to example embodiments.
  • FIG. 12 is a block diagram illustrating a hardware firewall included in a computing system according to example embodiments.
  • FIG. 13 is a diagram illustrating an example of a context table of a hardware privilege generator included in a computing system according to example embodiments.
  • FIG. 14 is a block diagram for describing a software architecture of a computing system according to example embodiments.
  • FIG. 1 is a block diagram for describing a software architecture of a computing system according to example embodiments.
  • a computing system 100 includes hardware 170 including a processor.
  • Computing system 100 (or the processor of computing system 100 ) may operate a plurality of virtual machines 112 , 114 , 132 and 134 , and may execute a plurality of operating systems 122 , 124 , 142 and 144 in the plurality of virtual machines 112 , 114 , 132 and 134 , respectively.
  • Computing system 100 may execute a hypervisor 150 that groups the plurality of virtual machines 112 , 114 , 132 and 134 into a normal virtual machine group 110 and a privilege virtual machine group 130 , and that controls hardware accesses (or accesses for hardware 170 ) requested by normal virtual machine group 110 and privilege virtual machine group 130 .
  • Hypervisor 150 may be a software or a logical platform for executing or running the plurality of operating systems 122 , 124 , 142 and 144 at the same time as each other in computing system 100 , and may be referred to as a virtual machine monitor (VMM).
  • VMM virtual machine monitor
  • Hypervisor 150 may group the plurality of virtual machines 112 , 114 , 132 and 134 into normal virtual machine group 110 and privilege virtual machine group 130 .
  • Each virtual machine 112 , 114 , 132 and 134 may be classified as a normal virtual machine 112 and 114 in normal virtual machine group 110 or a privilege virtual machine 132 and 134 in privilege virtual machine group 130 .
  • hypervisor 150 may manage at least one virtual machine 112 and 114 in normal virtual machine group 110 as normal virtual machine 112 and 114 , and may manage at least one virtual machine 132 and 134 in privilege virtual machine group 130 as privilege virtual machine 132 and 134 .
  • hypervisor 150 may classify resources of hardware 170 of computing system 100 into hardware resources accessible only by normal virtual machines 112 and 114 , hardware resources accessible only by privilege virtual machines 132 and 134 , and/or hardware resources accessible by both of normal virtual machines 112 and 114 and privilege virtual machines 132 and 134 , and may manage normal virtual machine group 110 (or normal virtual machines 112 and 114 ) and privilege virtual machine group 130 (or privilege virtual machines 132 and 134 ) such that each of virtual machines 112 , 114 , 132 and 134 accesses only the hardware resources that are permitted for it to access.
  • hypervisor 150 may control the accesses for hardware 170 requested by normal virtual machine group 110 and privilege virtual machine group 130 .
  • hypervisor 150 may selectively block a hardware access request generated in normal virtual machine group 110 (e.g., by using a hardware firewall 400 of FIG. 4 ) such that at least one hardware resource allocated only to privilege virtual machine group 130 is not accessed by normal virtual machine group 110 .
  • the at least one hardware resource may include at least one physical page of a memory device included in computing system 100 . That is, hypervisor 150 may selectively block an access request for the memory device generated in normal virtual machine group 110 (e.g., by using a hardware firewall 400 of FIG. 4 ) such that at least one physical page allocated only to privilege virtual machine group 130 is not accessed by normal virtual machine group 110 .
  • the hardware resource may not be limited to the physical page of the memory device, and may be any hardware resource included in computing system 100 .
  • At least one normal virtual machine 112 and 114 in normal virtual machine group 110 and at least one privilege virtual machine 132 and 134 in privilege virtual machine group 130 may be emulations of computer systems, and the plurality of operating systems 122 , 124 , 142 and 144 may be executed in virtual machines 112 , 114 , 132 and 134 , respectively.
  • the plurality of operating systems 122 , 124 , 142 and 144 may be rich operating systems executed in a rich execution environment (REE).
  • each operating system 122 , 124 , 142 and 144 may be an Android operating system (OS), an Android Wear OS, a Symbian OS, a Windows OS, a Tizen OS, etc.
  • normal virtual machines 112 and 114 and privilege virtual machines 132 and 134 in which the rich operating systems are executed may be able to execute a complicated application or a heavy application.
  • operating systems 142 and 144 executed in privilege virtual machine 132 and 134 may have enhanced security compared with operating systems 122 and 124 executed in normal virtual machine 112 and 114 .
  • Computing system 100 may execute one or more normal applications 126 and 128 in normal virtual machine group 110 (or in at least one normal virtual machine 112 and 114 in normal virtual machine group 110 ), and may execute one or more secure applications 146 and 148 in privilege virtual machine group 130 (or in at least one privilege virtual machine 132 and 134 in privilege virtual machine group 130 ). Since hypervisor 150 blocks an access request for at least one hardware resource allocated only to privilege virtual machine group 130 (e.g., by using a hardware firewall 400 of FIG.
  • computing system 100 may execute normal applications 126 and 128 in normal virtual machine group 110 , may execute secure applications 146 and 148 in privilege virtual machine group 130 , and may block the access request from normal virtual machine group 110 for at least one hardware resource allocated to privilege virtual machine group 130 , thereby securely executing secure applications 146 and 148 in the REE.
  • FIG. 2 is a block diagram for describing a hardware architecture of a computing system according to example embodiments
  • FIG. 3 is a diagram for describing an example of a memory address translation in a computing system according to example embodiments.
  • a computing system 200 may include a processor 210 , devices 220 and 230 , a memory device 240 , an interconnect 250 and hardware firewalls 260 and 270 .
  • Computing system 200 may be any computing system requiring an execution of a secure application, such as a smart phone, a mobile phone, a tablet computer, a laptop computer, a personal computer, an MP3 player, a personal digital assistants (PDA), a portable multimedia player (PMP), a digital TV, a digital camera, portable game console, etc.
  • a secure application such as a smart phone, a mobile phone, a tablet computer, a laptop computer, a personal computer, an MP3 player, a personal digital assistants (PDA), a portable multimedia player (PMP), a digital TV, a digital camera, portable game console, etc.
  • PDA personal digital assistants
  • PMP portable multimedia player
  • Processor 210 may control an overall operation of computing system 200 .
  • processor 210 may be a central processing unit (CPU), an application processor (AP), a mobile processor, or the like.
  • processor 210 may execute a normal virtual machine group including at least one normal virtual machine, a privilege virtual machine group including at least one privilege virtual machine, and a hypervisor.
  • processor 210 may include a stage-1 memory management unit (STG1 MMU) 212 and a stage-2 memory management unit (STG2 MMU) 214 .
  • STG1 MMU stage-1 memory management unit
  • STG2 MMU stage-2 memory management unit
  • the STG1 MMU 212 may be controlled by operating systems that are operated in a first privilege level or an exception level-1 (EU), and the STG2 MMU 214 may be controlled by the hypervisor that is operated in a second privilege level or an exception level-2 (EL2) having a higher privilege than the privilege level or the ELL
  • EU exception level-1
  • EL2 exception level-2
  • Devices 220 and 230 may include a graphics processing unit (GPU) and/or a non-GPU 230 .
  • non-GPU 230 may include a hardware accelerator, a display device, an external subsystem, etc.
  • devices 220 and 230 may include STG1 MMUs 222 and 232 , respectively.
  • Processor 210 may be connected to a memory device 240 through interconnect 250 , and devices 220 and 230 may be connected to memory device 240 through hardware firewalls 260 and 270 and interconnect 250 .
  • Memory device 240 may serve as a main memory of computing system 200 .
  • memory device 240 may be a volatile memory device, such as a dynamic random access memory (DRAM) device, a static random access memory (SRAM) device, etc.
  • DRAM dynamic random access memory
  • SRAM static random access memory
  • Processor 210 and/or devices 220 and 230 may operate as masters that output access requests for a hardware (or a slave) included in computing system 200 .
  • processor 210 and/or devices 220 and 230 may output an access request for memory device 240 generated in the normal virtual machine group or the privilege virtual machine group.
  • Operating systems executed in the normal virtual machine group and the privilege virtual machine group may provide virtual memories, and the access request for memory device 240 generated in the normal virtual machine group or the privilege virtual machine group may include a virtual address in a virtual address space.
  • the operating systems executed in the normal virtual machine group and the privilege virtual machine group may manage intermediate physical address spaces, respectively, and the access request including the virtual address may be translated into an access request including an intermediate physical address in the intermediate physical address spaces by STG1 MMUs 212 , 222 and 232 controlled by the operating systems.
  • the plurality of virtual machines manage different physical address spaces, and a hypervisor translates an intermediate physical address in one of the different physical address spaces into an actual physical address of a memory device by using a STG2 MMU.
  • the STG2 MMU may rapidly perform the address translation using a translation lookaside buffer (TLB) that stores translation information.
  • TLB translation lookaside buffer
  • the STG2 MMU should access a page table included in the memory device, and thus the address translation cannot be rapidly performed. That is, the conventional computing system has a virtualization overhead in operating the plurality of virtual machines.
  • the normal virtual machine group (or normal virtual machines) and the privilege virtual machine group (or privilege virtual machines) manage intermediate physical address spaces that are the same as an actual physical address space of memory device 240 .
  • the hypervisor may use the intermediate physical address as an actual physical address of memory device 240 without the address translation for the intermediate physical address, and the hypervisor may control STG2 MMU 214 and hardware firewalls 260 and 270 to check only whether each virtual machine group (or each virtual machine) is permitted to access a physical page of memory device 240 having the physical address.
  • the hypervisor may perform an access permission check on an access request output from processor 210 by using the STG2 MMU 214 , may perform an access permission check on an access request output from device 220 by using hardware firewall 260 , and may perform an access permission check on an access request output from device 230 by using hardware firewall 270 .
  • the hypervisor of computing system 200 may use the intermediate physical address as the actual physical address of memory device 240 without the address translation for the intermediate physical address, thereby minimizing the virtualization overhead.
  • an operating system executed in each normal virtual machine included in the normal virtual machine group may provide virtual memories having a first virtual address space 310 , and a first access request for memory device 240 generated in the normal virtual machine group (or in each normal virtual machine included in the normal virtual machine group) may include a first virtual address VA1 in first virtual address space 310 .
  • the operating system of the normal virtual machine group (or each normal virtual machine included in the normal virtual machine group) may control STG1 MMUs 212 , 222 and 232 to translate the first virtual address VA1 into a first intermediate physical address IPA1 in a first intermediate physical address space 330 .
  • an operating system executed in each privilege virtual machine included in the privilege virtual machine group may provide virtual memories having a second virtual address space 320 , and a second access request for memory device 240 generated in the privilege virtual machine group (or in each privilege virtual machine included in the privilege virtual machine group) may include a second virtual address VA2 in second virtual address space 320 .
  • the operating system of the privilege virtual machine group (or each privilege virtual machine included in the privilege virtual machine group) may control STG1 MMUs 212 , 222 and 232 to translate the second virtual address VA2 into a second intermediate physical address IPA2 in a second intermediate physical address space 340 .
  • each of first intermediate physical address space 330 of the normal virtual machine group and second intermediate physical address space 340 of the privilege virtual machine group may be the same as a physical address space 350 of memory device 240 . That is, intermediate physical addresses IPA1, IPA1-1 and IPA2 may be used, without translation, as physical addresses PA1 and PA2 in physical address space 350 .
  • the first intermediate physical address IPA1 may be used as a first physical address PA1 in physical address space 350 of memory device 240 , and the hypervisor may control STG2 MMU 214 or hardware firewalls 260 and 270 to selectively block the first access request based on access permission information of the normal virtual machine group for a physical page of memory device 240 having the first physical address PAL
  • the hypervisor may control STG2 MMU 214 or hardware firewalls 260 and 270 to block an access request from the normal virtual machine group which includes a physical address corresponding to a physical page of memory device 240 that is allocated to the privilege virtual machine group.
  • computing system 200 may prevent data of a secure application executed in the privilege virtual machine group from being leaked to the normal virtual machine group.
  • the second intermediate physical address IPA2 may be used as a second physical address PA2 in physical address space 350 of memory device 240 , and the hypervisor may control STG2 MMU 214 or hardware firewalls 260 and 270 to selectively block the second access request based on access permission information of the privilege virtual machine group for a physical page of memory device 240 having the second physical address PA2.
  • the hypervisor may control STG2 MMU 214 or hardware firewalls 260 and 270 to block an access request from the privilege virtual machine group which includes a physical address corresponding to a physical page of memory device 240 that is allocated to the normal virtual machine group.
  • computing system 200 may prevent the secure application executed in the privilege virtual machine group from unintentionally or erroneously writing data into the physical page of memory device 240 allocated to the normal virtual machine group.
  • FIG. 4 is a block diagram illustrating a hardware firewall included in a computing system according to example embodiments
  • FIGS. 5A and 5B are diagrams for describing example of time points at which a normal virtual machine group and a privilege virtual machine group are generated
  • FIG. 6A is a diagram illustrating an example of a normal access rule table included in a hardware firewall of FIG. 4
  • FIG. 6B is a diagram illustrating an example of a privilege access rule table included in a hardware firewall of FIG. 4
  • FIG. 6C is a diagram illustrating a memory device accessed by a normal virtual machine group and a privilege virtual machine group according to the examples of the access rule tables in FIGS. 6A and 6B .
  • a hardware firewall 400 of FIG. 4 may be a hardware firewall 260 connected to a device 220 in FIG. 2 , or may be a hardware firewall 270 connected to a device 230 in FIG. 2 .
  • Hardware firewall 400 may be implemented as a hardware (structure, device, module, block, unit, etc.) between a memory device 240 in FIG. 2 and a master (e.g., device 220 or device 230 operating as a master for a memory device 240 in FIG. 2 ) outputting an access request REQ for memory device 240 .
  • Hardware firewall 400 may store normal access permission information of a normal virtual machine group for respective ones of a plurality of physical pages of a memory device, and privilege access permission information of a privilege virtual machine group for the respective ones of the plurality of physical pages of the memory device. Hardware firewall 400 may selectively block the access request REQ based on at least one of the normal access permission information, the privilege access permission information, and whether the access request REQ is generated in the normal virtual machine group or the privilege virtual machine group. Since the selective blocking of the access request REQ is performed by hardware firewall 400 implemented as hardware, the security may be enhanced and the management and the selective blocking of the access request REQ may be performed more rapidly compared with a computing system where the access request REQ is managed by a software. Hardware firewall 400 may perform the selective blocking of the access request REQ for each physical page, and thus may be referred to as “Per-Page-Fire-Wall (PPFW)”.
  • PPFW Per-Page-Fire-Wall
  • hardware firewall 400 may include a programming interface module 410 , a normal access rule table 430 , a privilege access rule table 450 and an access permission checker 470 .
  • Programming interface module 410 may receive, from a hypervisor, a command, such as an on/off command, a write command for normal access permission information NAPI, a write command for privilege access permission information PAPI, etc.
  • Normal access rule table 430 may store the normal access permission information NAPI indicating whether the normal virtual machine group is permitted to access the respective ones of the plurality of physical pages.
  • Privilege access rule table 450 may store the privilege access permission information PAPI indicating whether the privilege virtual machine group is permitted to access the respective ones of the plurality of physical pages.
  • privilege access rule table 450 may be implemented with one table for the privilege virtual machine group.
  • privilege access rule table 450 may be implemented with one or more tables respectively for one or more privilege virtual machines in the privilege virtual machine group.
  • hardware firewall 400 may store the privilege access permission information PAPI per each privilege virtual machine.
  • Normal access rule table 430 may be generated by receiving the normal access permission information NAPI from the hypervisor through programming interface module 410
  • privilege access rule table 450 may be generated by receiving the privilege access permission information PAPI from the hypervisor through programming interface module 410 .
  • Access permission checker 470 may determine whether the access request REQ is for a physical page permitted to be accessed by referring to normal access rule table 430 or privilege access rule table 450 .
  • Access permission checker 470 may selectively block the access request REQ by referring to normal access rule table 430 in a case where the access request REQ is generated in the normal virtual machine group, and may selectively block the access request REQ by referring to privilege access rule table 450 in a case where the access request REQ is generated in the privilege virtual machine group.
  • normal access rule table 430 and privilege access rule table 450 may be generated at various timings.
  • the normal virtual machine group NVMG may be generated at a time point T 1 when the computing system is booted, and the privilege virtual machine group PVMG may be generated at a later time point T 2 when an execution of a secure application is requested while the normal virtual machine group NVMG operates.
  • normal access rule table 430 and privilege access rule table 450 may be generated at the time point T 2 when the privilege virtual machine group PVMG is generated via programming interface module 410 .
  • normal access rule table 430 may be generated at the time point T 1 when the normal virtual machine group NVMG is generated, and privilege access rule table 450 may be generated at the time point T 2 when the privilege virtual machine group PVMG is generated. In this case, normal access rule table 430 may be updated at the time point T 2 when privilege access rule table 450 is generated.
  • the normal virtual machine group NVMG and the privilege virtual machine group PVMG both may be generated, and normal access rule table 430 and privilege access rule table 450 may be generated.
  • normal access rule table 610 may include a page index PI for respective ones of the plurality of physical pages, read access permission information RAPI of the normal virtual machine group indicating whether the normal virtual machine group is permitted to read data from the respective ones of the plurality of physical pages, and write access permission information WAPI of the normal virtual machine group indicating whether the normal virtual machine group is permitted to write data into the respective ones of the plurality of physical pages.
  • RAPI read access permission information
  • WAPI write access permission information
  • normal access rule table 610 indicates that read and write accesses each are permitted for the normal virtual machine group with respect to a ‘page X’, that a write access is permitted but a read access is not permitted for the normal virtual machine group with respect to a ‘page Y’, and that read and write accesses each are not permitted for the normal virtual machine group with respect to a ‘page Z’.
  • privilege access rule table 620 may include a page index PI for respective ones of the plurality of physical pages, read access permission information RAPI of the privilege virtual machine group indicating whether the privilege virtual machine group is permitted to read data from the respective ones of the plurality of physical pages, and write access permission information WAPI of the privilege virtual machine group indicating whether the privilege virtual machine group is permitted to write data into the respective ones of the plurality of physical pages.
  • RAPI read access permission information
  • WAPI write access permission information
  • privilege access rule table 620 indicates that read and write accesses each are not permitted for the privilege virtual machine group with respect to the ‘page X’, that a write access is not permitted but a read access is permitted for the privilege virtual machine group with respect to the ‘page Y’, and that read and write accesses each are permitted for the privilege virtual machine group with respect to the ‘page Z’.
  • hardware firewall 400 may not block read and write access requests for ‘page X’ 640 and a write access request for ‘page Y’ 650 from the normal virtual machine group NVMG. However, hardware firewall 400 may block a read access request for ‘page Y’ 650 and read and write access requests for ‘page Z’ 660 from the normal virtual machine group NVMG. Further, hardware firewall 400 may not block a read access request for ‘page Y’ 650 and read and write access requests for ‘page Z’ 660 from the privilege virtual machine group PVMG.
  • hardware firewall 400 may block read and write access requests for ‘page X’ 640 and a write access request for ‘page Y’ 650 from the privilege virtual machine group PVMG.
  • the present inventive concepts may not be limited to the examples illustrated in FIGS. 6A through 6C .
  • FIG. 6B illustrates an example where privilege access rule table 620 is implemented as one table for the privilege virtual machine group PVMG, in other example embodiments, privilege access rule table 620 may be implemented as one or more tables respectively corresponding to one or more privilege virtual machines included in the privilege virtual machine group PVMG.
  • FIG. 7 is a block diagram illustrating a portion of a computing system according to example embodiments
  • FIG. 8 is a block diagram illustrating a hardware privilege generator included in a computing system according to example embodiments
  • FIG. 9 is a diagram illustrating an example of a context table included in a hardware privilege generator of FIG. 8 .
  • a computing system 700 may include a plurality of masters 710 , 720 , 730 and 740 that output access requests for a slave, for example a memory device.
  • plurality of masters 710 , 720 , 730 and 740 may correspond to at least one device 220 and 230 illustrated in FIG. 2 .
  • respective masters 710 , 720 , 730 and 740 may have different port identifications (PORT IDs).
  • a first master 710 may have a PORT ID of ‘0x0’
  • a second master 720 may have a PORT ID of ‘0x1’
  • a third master 730 may have a PORT ID of ‘0x2’
  • a fourth master 740 may have a PORT ID of ‘0x3’.
  • Computing system 700 may further include a hardware privilege generator 760 implemented as a hardware (structure, device, module, block, unit, etc.) between plurality of masters 710 , 720 , 730 and 740 and a hardware firewall 780 . Since hardware privilege generator 760 is implemented as hardware, the security may be enhanced, and operations may be rapidly performed. When one of the plurality of masters 710 , 720 , 730 and 740 outputs an access request for a slave (e.g., the memory device), the access request may be transferred to hardware privilege generator 760 through an interconnect 750 .
  • a hardware privilege generator 760 implemented as a hardware (structure, device, module, block, unit, etc.) between plurality of masters 710 , 720 , 730 and 740 and a hardware firewall 780 . Since hardware privilege generator 760 is implemented as hardware, the security may be enhanced, and operations may be rapidly performed. When one of the plurality of masters 710 , 720 , 730 and 740 outputs an access request for
  • Hardware privilege generator 760 may: receive the access request from the one master through interconnect 750 ; append, to the access request, privilege information indicating whether the access request is generated by a normal virtual machine group or a privilege virtual machine group; and output the access request to which the privilege information is appended.
  • hardware privilege generator 760 may include a programming interface module 762 , a context table 764 and a privilege generation module 766 .
  • Programming interface module 762 may receive, from a hypervisor, a command, such as an on/off command, a context write command, etc.
  • Context table 764 may store an operation mode for the access request REQ which depends on the master outputting the access request REQ. Contexts including the operation modes may be written from the hypervisor into context table 764 via programming interface module 762 .
  • Privilege generation module 766 may append the privilege information to the access request REQ by referring to context table 764 , and may output the access request REQ (WITH PI) to which the privilege information is appended.
  • context table 764 may include a context index CI for at least one context stored in context table 764 , a matching mask MM that is used in bit-wise masking for a request identification (ID) included in the access request REQ, a matching value MV that is bit-wise matched with the request ID on which the bit-wise masking is performed, and the operation mode OPMODE for the access request REQ including the request ID that is bit-wise matched with the matching value MV.
  • ID request identification
  • interconnect 750 may append the PORT ID of the one master to the end of the request ID of the access request REQ to indicate which one of the plurality of masters 710 , 720 , 730 and 740 outputs the access request REQ.
  • the last two digits of the access request REQ received by hardware privilege generator 760 may be the PORT ID of the one master that outputs the access request REQ.
  • hardware privilege generator 760 may perform the bit-wise masking with the matching mask MM on the request ID of the access request REQ.
  • a context including the matching mask MM having a value of ‘0x0’ may be a non-activated or disabled context, and this context may not be considered (or may be disregarded).
  • hardware privilege generator 760 may perform the bit-wise matching with the matching value MV on the request ID on which the bit-wise masking is performed, and may search a context including the matching value MV that is bit-wise matched with the request ID.
  • the access request REQ output from first master 710 having the PORT ID of ‘0x0’ may be matched with a context having the context index CI of ‘1’, and hardware privilege generator 760 may perform an operation corresponding to the operation mode OPMODE of ‘NOT_OVERRIDE’ on the access request REQ from first master 710 .
  • ‘NOT_OVERRIDE’ may represent that the privilege information is not appended to the access request REQ.
  • first master 710 may output the access request REQ with the privilege information by previously appending the privilege information to the access request REQ before outputting the access request REQ, and hardware privilege generator 760 may not perform a particular operation on the access request REQ according to the operation mode OPMODE of ‘NOT_OVERRIDE’.
  • the access request REQ output from second master 720 having the PORT ID of ‘0x1’ may not be matched with any context in context table 764 , and, in this case, hardware privilege generator 760 may perform a default operation on the access request REQ.
  • the access request REQ output from third master 730 having the PORT ID of ‘0x2’ may be matched with a context having the context index CI of ‘4’, and hardware privilege generator 760 may perform an operation corresponding to the operation mode OPMODE of ‘OVERRIDE_NORMAL’ on the access request REQ from third master 730 .
  • ‘OVERRIDE_NORMAL’ may represent that the privilege information indicating the normal virtual machine group is appended to the access request REQ.
  • Third master 730 may be a master that is controlled by the normal virtual machine group, and hardware privilege generator 760 may append the privilege information indicating the normal virtual machine group to the access request REQ from third master 730 according to the operation mode OPMODE of ‘OVERRIDE_NORMAL’.
  • the access request REQ output from fourth master 740 having the PORT ID of ‘0x3’ may be matched with a context having the context index CI of ‘3’, and hardware privilege generator 760 may perform an operation corresponding to the operation mode OPMODE of ‘OVERRIDE_PRIVILEGE on the access request REQ from fourth master 740 .
  • ‘OVERRIDE_PRIVILEGE’ may represent that the privilege information indicating the privilege virtual machine group is appended to the access request REQ.
  • Fourth master 740 may be a master that is controlled by the privilege virtual machine group, and hardware privilege generator 760 may append the privilege information indicating the privilege virtual machine group to the access request REQ from fourth master 740 according to the operation mode OPMODE of ‘OVERRIDE_PRIVILEGE’.
  • a virtual address included in the access request REQ (WITH PI) to which the privilege information is appended by hardware privilege generator 760 may be translated into an intermediate physical address (that is used as a physical address) by a STG1 MMU 770 , and the access request REQ (WITH PI) including the intermediate physical address may be provided to hardware firewall 780 .
  • Hardware firewall 780 may be informed of which one of the normal virtual machine group or the privilege virtual machine group generates the access request REQ based on the privilege information.
  • Hardware firewall 780 may selectively block the access request REQ by referring to a normal access rule table when the access request REQ is generated in the normal virtual machine group, and may selectively block the access request REQ by referring to a privilege access rule table when the access request REQ is generated in the privilege virtual machine group.
  • FIG. 10 is a block diagram illustrating a portion of a computing system according to example embodiments.
  • a hardware firewall 950 may be located not only between a plurality of masters 710 , 720 , 730 and 740 and a slave as illustrated in FIG. 7 , but also at a one-to-one communication chancel between one master 910 and one slave 930 (e.g., a memory device or any hardware resource).
  • Master 910 may output an access request REQ for slave 930 .
  • Hardware firewall 950 may store access permission information of master 910 for slave 930 , and may selectively block the access request REQ based on the access permission information.
  • FIG. 11 is a block diagram for describing a software architecture of a computing system according to example embodiments
  • FIG. 12 is a block diagram illustrating a hardware firewall included in a computing system according to example embodiments
  • FIG. 13 is a diagram illustrating an example of a context table of a hardware privilege generator included in a computing system according to example embodiments.
  • a plurality of virtual machines 1010 , 1020 and 1030 in which a plurality of operating systems are respectively executed may be operated, and a hypervisor 1050 that controls accesses for a hardware 1070 requested by the plurality of virtual machines 1010 , 1020 and 1030 .
  • a normal application may be executed in at least first one of the plurality of virtual machines 1010 , 1020 and 1030
  • a secure application may be executed in at least second one of the plurality of virtual machines 1010 , 1020 and 1030
  • an access request for at least one hardware resource e.g., a physical memory page allocated to the second one of the plurality of virtual machines 1010 , 1020 and 1030 may be blocked when the access request is generated in the first one of the plurality of virtual machines 1010 , 1020 and 1030 .
  • computing system 1000 may include a hardware firewall 1100 of FIG. 12 located between a master outputting the access request and a corresponding slave (e.g., a memory device).
  • hardware firewall 1100 may include a programming interface module 1110 , a plurality of access rule tables (ARTs) 1130 , 1140 and 1150 respectively corresponding to the plurality of virtual machines 1010 , 1020 and 1030 , and an access permission checker 1170 .
  • Hardware firewall 1100 may have a configuration and an operation similar to those of a hardware firewall 400 of FIG. 4 , except that hardware firewall 1100 may include the plurality of access rule tables 1130 , 1140 and 1150 respectively corresponding to the plurality of virtual machines 1010 , 1020 and 1030 instead of a normal access rule table 430 and a privilege access rule table 450 illustrated in FIG. 4 .
  • Each access rule table 1130 , 1140 and 1150 may store access permission information of a corresponding one of the plurality of virtual machines 1010 , 1020 and 1030 for a plurality of physical pages of a memory device.
  • a hardware privilege generator may append, to the access request, information indicating which one of the plurality of virtual machines 1010 , 1020 and 1030 generates the access request.
  • Hardware firewall 1100 may receive, from the hardware privilege generator, the access request to which the information is appended, and may refer to one of the plurality of access rule tables 1130 , 1140 and 1150 corresponding to the virtual machine indicated by the appended information.
  • the hardware privilege generator may include a context table 1200 of FIG.
  • Context table 1200 may include a PORT ID and a virtual machine identification (VMID). To indicate which one of the plurality of virtual machines 1010 , 1020 and 1030 generates the access request REQ, the hardware privilege generator may append, to the access request REQ, the VMID corresponding to the PORT ID using context table 1200 .
  • VMID virtual machine identification
  • FIG. 14 is a block diagram for describing a software architecture of a computing system according to example embodiments.
  • a computing system 1300 may provide a rich execution environment (REE) 1305 and a trusted execution environment (TEE) 1360 .
  • REE rich execution environment
  • TEE trusted execution environment
  • a processor of computing system 1300 may operate a plurality of virtual machines in which a plurality of rich operating systems 1320 and 1340 are respectively executed. Further, in REE 1305 , the processor of computing system 1300 may execute a hypervisor 1350 that groups the plurality of virtual machines into a normal virtual machine group 1310 and a privilege virtual machine group 1330 , and that controls hardware accesses requested by normal virtual machine group 1310 and privilege virtual machine group 1330 . The processor of computing system 1300 may execute a secure operating system 1370 in TEE 1360 .
  • a first secure application 1372 may be executed in TEE 1360
  • a normal application 1322 may be executed in normal virtual machine group 1310 of REE 1305
  • a second secure application 1342 that requires a data throughput greater than a data throughput required by first secure application 1372 may be executed in privilege virtual machine group 1330 of REE 1305 .
  • light secure application 1372 that requires a relatively small data throughput may be executed in TEE 1360
  • heavy secure application 1342 that requires a relatively large data throughput may be executed in privilege virtual machine group 1330 of REE 1305 .
  • the inventive concept may be applied to any computing system requiring an execution of a secure application.
  • the inventive concept may be applied to a smart phone, a mobile phone, a tablet computer, a laptop computer, a personal computer, an MP3 player, a PDA, a PMP, a digital TV, a digital camera, portable game console, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Memory System Of A Hierarchy Structure (AREA)
  • Storage Device Security (AREA)
US15/683,889 2016-11-09 2017-08-23 Computing system for securely executing a secure application in a rich execution environment Active 2038-04-07 US10564997B2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2016-0148716 2016-11-09
KR1020160148716A KR102511451B1 (ko) 2016-11-09 2016-11-09 리치 실행 환경에서 보안 어플리케이션을 안전하게 실행하는 컴퓨팅 시스템

Publications (2)

Publication Number Publication Date
US20180129525A1 US20180129525A1 (en) 2018-05-10
US10564997B2 true US10564997B2 (en) 2020-02-18

Family

ID=62064583

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/683,889 Active 2038-04-07 US10564997B2 (en) 2016-11-09 2017-08-23 Computing system for securely executing a secure application in a rich execution environment

Country Status (4)

Country Link
US (1) US10564997B2 (zh)
KR (1) KR102511451B1 (zh)
CN (1) CN108062242B (zh)
TW (1) TWI733890B (zh)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200167180A1 (en) * 2018-11-28 2020-05-28 Red Hat Israel, Ltd. Securing virtual machines in computer systems
US11709661B2 (en) 2014-12-19 2023-07-25 Splunk Inc. Representing result data streams based on execution of data stream language programs
US11928046B1 (en) * 2015-01-29 2024-03-12 Splunk Inc. Real-time processing of data streams received from instrumented software
EP4231160A4 (en) * 2020-11-12 2024-03-27 Huawei Tech Co Ltd METHOD FOR CONFIGURING ADDRESS TRANSLATION RELATIONSHIP, AND COMPUTER SYSTEM

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109600396A (zh) * 2019-01-23 2019-04-09 浙江安点科技有限责任公司 实现高可靠安全性的防火墙系统
US11487906B2 (en) * 2019-03-08 2022-11-01 International Business Machines Corporation Storage sharing between a secure domain and a non-secure entity
US11640361B2 (en) 2019-03-08 2023-05-02 International Business Machines Corporation Sharing secure memory across multiple security domains
US11531627B2 (en) 2019-03-08 2022-12-20 International Business Machines Corporation Secure storage isolation
US20220261476A1 (en) * 2019-07-22 2022-08-18 Nec Corporation Security management device, security management method and non-transitory computer-readable medium
KR20210026233A (ko) * 2019-08-29 2021-03-10 삼성전자주식회사 디바이스 리소스에 대한 접근을 제어하기 위한 전자 장치 및 그의 동작 방법
TWI791929B (zh) * 2019-11-28 2023-02-11 瑞昱半導體股份有限公司 通用分析裝置與方法
US20220318391A1 (en) * 2021-04-06 2022-10-06 Hewlett Packard Enterprise Development Lp Deferred authentication in a secure boot system
CN113537498B (zh) * 2021-06-30 2022-07-26 电子科技大学 基于TrustZone的可信量化模型推理方法
CN114021141A (zh) * 2021-10-29 2022-02-08 中国银联股份有限公司 一种电子设备、可信应用调用方法、装置、设备及介质

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS5532793B2 (zh) 1973-09-29 1980-08-27
US20110314467A1 (en) * 2010-06-18 2011-12-22 At&T Intellectual Property I, L.P. Mobile Devices Having Plurality of Virtual Interfaces
US20120054744A1 (en) * 2010-05-10 2012-03-01 Manbinder Pal Singh Redirection of Information from Secure Virtual Machines to Unsecure Virtual Machines
US20120255003A1 (en) 2011-03-31 2012-10-04 Mcafee, Inc. System and method for securing access to the objects of an operating system
US8327353B2 (en) 2005-08-30 2012-12-04 Microsoft Corporation Hierarchical virtualization with a multi-level virtualization mechanism
US8819675B2 (en) 2007-11-28 2014-08-26 Hitachi, Ltd. Virtual machine monitor and multiprocessor system
US20140282543A1 (en) * 2013-03-15 2014-09-18 Ologn Technologies Ag Secure zone on a virutal machine for digital communications
US20140317737A1 (en) 2013-04-22 2014-10-23 Korea Internet & Security Agency Hypervisor-based intrusion prevention platform and virtual network intrusion prevention system
US8938782B2 (en) 2010-03-15 2015-01-20 Symantec Corporation Systems and methods for providing network access control in virtual environments
US9117091B2 (en) 2010-10-31 2015-08-25 Temporal Defense Systems, Llc System and method for securing virtual computing environments
US20150244710A1 (en) 2012-10-12 2015-08-27 Koninklijke Philips N.V. Secure data handling by a virtual machine
US20150277949A1 (en) * 2014-03-27 2015-10-01 Thiam Wah Loh Securing shared interconnect for virtual machine
US20150304716A1 (en) * 2012-11-05 2015-10-22 Viaccess Device for processing multimedia contents implementing a plurality of virtual machines
US20150319160A1 (en) 2014-05-05 2015-11-05 Microsoft Corporation Secure Management of Operations on Protected Virtual Machines
US20150332048A1 (en) * 2014-05-15 2015-11-19 Lynx Software Technologies, Inc. Systems and Methods Involving Features of Hardware Virtualization, Hypervisor, APIs of Interest, and/or Other Features
US20160162316A1 (en) * 2014-12-05 2016-06-09 International Business Machines Corporation Offloading and parallelizing translation table operations
US20160259731A1 (en) * 2015-03-02 2016-09-08 Arm Limited Memory management
US20170039080A1 (en) * 2015-08-07 2017-02-09 Futurewei Technologies, Inc. Offloading probabilistic computations in data analytics applications
US20180024944A1 (en) * 2016-07-22 2018-01-25 Qualcomm Incorporated Methods and apparatus for access control in shared virtual memory configurations

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8386749B2 (en) * 2010-03-16 2013-02-26 Advanced Micro Devices, Inc. Address mapping in virtualized processing system
US9785576B2 (en) * 2014-03-27 2017-10-10 Intel Corporation Hardware-assisted virtualization for implementing secure video output path

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS5532793B2 (zh) 1973-09-29 1980-08-27
US8327353B2 (en) 2005-08-30 2012-12-04 Microsoft Corporation Hierarchical virtualization with a multi-level virtualization mechanism
US8819675B2 (en) 2007-11-28 2014-08-26 Hitachi, Ltd. Virtual machine monitor and multiprocessor system
US8938782B2 (en) 2010-03-15 2015-01-20 Symantec Corporation Systems and methods for providing network access control in virtual environments
US20120054744A1 (en) * 2010-05-10 2012-03-01 Manbinder Pal Singh Redirection of Information from Secure Virtual Machines to Unsecure Virtual Machines
US20110314467A1 (en) * 2010-06-18 2011-12-22 At&T Intellectual Property I, L.P. Mobile Devices Having Plurality of Virtual Interfaces
US9117091B2 (en) 2010-10-31 2015-08-25 Temporal Defense Systems, Llc System and method for securing virtual computing environments
US20120255003A1 (en) 2011-03-31 2012-10-04 Mcafee, Inc. System and method for securing access to the objects of an operating system
US20150244710A1 (en) 2012-10-12 2015-08-27 Koninklijke Philips N.V. Secure data handling by a virtual machine
US20150304716A1 (en) * 2012-11-05 2015-10-22 Viaccess Device for processing multimedia contents implementing a plurality of virtual machines
US20140282543A1 (en) * 2013-03-15 2014-09-18 Ologn Technologies Ag Secure zone on a virutal machine for digital communications
US20140317737A1 (en) 2013-04-22 2014-10-23 Korea Internet & Security Agency Hypervisor-based intrusion prevention platform and virtual network intrusion prevention system
US20150277949A1 (en) * 2014-03-27 2015-10-01 Thiam Wah Loh Securing shared interconnect for virtual machine
US20150319160A1 (en) 2014-05-05 2015-11-05 Microsoft Corporation Secure Management of Operations on Protected Virtual Machines
US20150332048A1 (en) * 2014-05-15 2015-11-19 Lynx Software Technologies, Inc. Systems and Methods Involving Features of Hardware Virtualization, Hypervisor, APIs of Interest, and/or Other Features
US20160162316A1 (en) * 2014-12-05 2016-06-09 International Business Machines Corporation Offloading and parallelizing translation table operations
US20160259731A1 (en) * 2015-03-02 2016-09-08 Arm Limited Memory management
US20170039080A1 (en) * 2015-08-07 2017-02-09 Futurewei Technologies, Inc. Offloading probabilistic computations in data analytics applications
US20180024944A1 (en) * 2016-07-22 2018-01-25 Qualcomm Incorporated Methods and apparatus for access control in shared virtual memory configurations

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11709661B2 (en) 2014-12-19 2023-07-25 Splunk Inc. Representing result data streams based on execution of data stream language programs
US11733982B1 (en) 2014-12-19 2023-08-22 Splunk Inc. Dynamically changing input data streams processed by data stream language programs
US11928046B1 (en) * 2015-01-29 2024-03-12 Splunk Inc. Real-time processing of data streams received from instrumented software
US20200167180A1 (en) * 2018-11-28 2020-05-28 Red Hat Israel, Ltd. Securing virtual machines in computer systems
US11237859B2 (en) * 2018-11-28 2022-02-01 Red Hat Israel, Ltd. Securing virtual machines in computer systems
US20220156103A1 (en) * 2018-11-28 2022-05-19 Red Hat Israel, Ltd. Securing virtual machines in computer systems
EP4231160A4 (en) * 2020-11-12 2024-03-27 Huawei Tech Co Ltd METHOD FOR CONFIGURING ADDRESS TRANSLATION RELATIONSHIP, AND COMPUTER SYSTEM

Also Published As

Publication number Publication date
CN108062242B (zh) 2023-07-21
TWI733890B (zh) 2021-07-21
KR20180051855A (ko) 2018-05-17
KR102511451B1 (ko) 2023-03-17
CN108062242A (zh) 2018-05-22
TW201818240A (zh) 2018-05-16
US20180129525A1 (en) 2018-05-10

Similar Documents

Publication Publication Date Title
US10564997B2 (en) Computing system for securely executing a secure application in a rich execution environment
US11288213B2 (en) Memory protection with hidden inline metadata
JP6903682B2 (ja) 仮想リソースビューを使用するデータ保護
US9665724B2 (en) Logging in secure enclaves
US9355262B2 (en) Modifying memory permissions in a secure processing environment
JP4237190B2 (ja) 仮想マシン環境内でのゲスト物理アドレスの仮想化の方法およびシステム
US8893267B1 (en) System and method for partitioning resources in a system-on-chip (SoC)
US10255088B2 (en) Modification of write-protected memory using code patching
US10664304B2 (en) Application memory protection using an extended page table switching virtual machine function
US10365825B2 (en) Invalidation of shared memory in a virtual environment
CN112241310B (zh) 页表管理、信息获取方法、处理器、芯片、设备及介质
CN106716435B (zh) 设备与安全处理环境之间的接口
US11836091B2 (en) Secure memory access in a virtualized computing environment
US8006055B2 (en) Fine granularity hierarchiacal memory protection
CN116583840A (zh) 快速外围部件互连保护控制器
US20200073691A1 (en) Secure and efficient memory sharing for guests
US8751724B2 (en) Dynamic memory reconfiguration to delay performance overhead
US10901914B2 (en) Method for writing multiple copies into storage device, and storage device
US20200201691A1 (en) Enhanced message control banks
EP4254203A1 (en) Device memory protection for supporting trust domains
US20220197993A1 (en) Compartment isolation for load store forwarding
US11074200B2 (en) Use-after-free exploit prevention architecture
CN112585590A (zh) 存储器访问控制
CN116933271A (zh) 数据处理方法、装置、设备和存储介质
CN116249972A (zh) 一种内存保护方法及保护代理控制装置

Legal Events

Date Code Title Description
AS Assignment

Owner name: SAMSUNG ELECTRONICS CO., LTD., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HONG, SUNG-MIN;CHUN, WOO-HYUNG;KIM, YOUNG-SEOK;AND OTHERS;SIGNING DATES FROM 20170214 TO 20170317;REEL/FRAME:043371/0699

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4